NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.
-
date post
18-Dec-2015 -
Category
Documents
-
view
224 -
download
3
Transcript of NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.
![Page 1: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/1.jpg)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Defining your Electronic Security Perimeter (ESP) and Access Point Security
![Page 2: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/2.jpg)
AgendaAgenda
Specific NERC CIP-005 RequirementsUnderlying fundamentals of the ESP architectureBuilding ESPs using Security Enclaves and DinDVulnerability Assessment MethodologySimple Principles
![Page 3: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/3.jpg)
DisclaimerDisclaimer
CAUTION: Every environment is different and requires a direct correlation. The material contained in this presentation may not represent your corporate or architectural requirements
ADVISORY: Education, consulting and compliance is about correctly interpreting and conveying information - a requirement for this content
![Page 4: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/4.jpg)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Specific NERC CIP-005 Requirements
![Page 5: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/5.jpg)
Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements
CIP-005-1 – Cyber Security – Electronic Security
Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002-1.
![Page 6: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/6.jpg)
Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements
Requirement 1 - Electronic Security Perimeter—Define an ESP and its access points to protect Critical Cyber
Assets Requirement 2 - Electronic Access Controls
—Deny by default—Enable only required ports and services—Securing dial-up access—Documentation—Appropriate Use Banner
Requirement 3 - Monitoring Electronic Access (covered in the SEIM Presentation in two weeks)
Requirement 4 - Cyber Vulnerability Assessment Requirement 5 - Documentation Review and Maintenance
Monitor FERC Order 706 Activity
![Page 7: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/7.jpg)
Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements
The following are exempt from Standard CIP-005:—4.2.1 Facilities regulated by the U.S. Nuclear
Regulatory Commission or the Canadian Nuclear Safety Commission.
—4.2.2 Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
—4.2.3 Responsible Entities that, in compliance with Standard CIP-002, identify that they have no Critical Cyber Assets.
![Page 8: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/8.jpg)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Underlying fundamentals of the ESP architecture
![Page 9: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/9.jpg)
Architecting your ESP to provide the appropriate Architecting your ESP to provide the appropriate access control and monitoring capabilitiesaccess control and monitoring capabilitiesArchitecting your ESP to provide the appropriate Architecting your ESP to provide the appropriate access control and monitoring capabilitiesaccess control and monitoring capabilities
Approach, controls, monitoring, assessment and documentation requirements defined in CIP-005
Challenging to define an electronic perimeter around geographically disperse systems collecting information and performing automated and manual control operations
Organizations must think methodically about their approach and intrinsically understand the environment and type of controls
Define an ESP access point access control request, review and response workflow
Define an appropriate trust model for your systems (enclaves) Ensure the adequacy of protection and continued high availability
of authorized access and control
![Page 10: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/10.jpg)
Integrating ESP high availability identity Integrating ESP high availability identity management solutionsmanagement solutions
Integrating ESP high availability identity Integrating ESP high availability identity management solutionsmanagement solutions
Understand your organization’s trust model based upon the enclave approach outlined in the methodology—Select your identity type, system and appropriate audit
trail for each ESP enclave—Define the appropriate administrative and operational
trusts for system access—Separate technical administrative, developers, system
operators and general users —Correlate your physical and cyber identities as
appropriate—Ensure identity integrity throughout the ESP—Define operational procedures to support high
availability access to ensure safety
![Page 11: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/11.jpg)
Control System Network ArchitectureControl System Network ArchitectureControl System Network ArchitectureControl System Network Architecture
Control System Network Control System Network ArchitectureArchitecture
![Page 12: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/12.jpg)
Traditional Isolation of Corporate and Control DomainsTraditional Isolation of Corporate and Control Domains
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 13: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/13.jpg)
Overview of Contemporary Control System ArchitecturesOverview of Contemporary Control System Architectures
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 14: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/14.jpg)
Database Attack VectorDatabase Attack Vector
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 15: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/15.jpg)
Common Security ZonesCommon Security Zones
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 16: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/16.jpg)
Firewall Deployment for Common Security ZonesFirewall Deployment for Common Security Zones
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 17: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/17.jpg)
Defense in Depth with IDSDefense in Depth with IDS
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 18: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/18.jpg)
Corporate IT to Control System IT ComparisonCorporate IT to Control System IT Comparison
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
![Page 19: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/19.jpg)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Building ESPs using Security Enclaves and DinD
![Page 20: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/20.jpg)
Definition: Security EnclavesDefinition: Security Enclaves
An enclave is, as defined in the Department of Defense Directive (DoDD ) 8500.1 E2.1.16.2, “the collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security.“
Terminology Potpourri—Security Zones—DeMilitarized Zones—Transactional Zones
Determine security controls and define system interactions
Review NIST SP 800-53 r2; 800-82
![Page 21: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/21.jpg)
Security Enclave CreationSecurity Enclave Creation
Security enclaves provide the layers of trusted systems which limit untrusted interactions
Enclaves creation can be based upon:—Mission criticality—Operational requirements—Type of application—System users—Trusted versus untrusted interactions
![Page 22: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/22.jpg)
Enclave Split - ServicesEnclave Split - Services
Services are separated among enclavesSeparation of duties
—External DNS / Internal DNS—External Mail / Internal Mail—External Web / Internal Web—External Authentication / Internal Authentication
Split Active Directory Domains—Out Of Band Management Network—Application Proxy
![Page 23: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/23.jpg)
Building Security EnclavesBuilding Security Enclaves
Defined logical ESP access points with enterprise identity management and network integrated firewalls and IDS
High AvailabilityVirtualized Architecture
IDS/EDS
Remote VPN, Contractor,
Identity Mgmt, Uncontrolled ISO
Enclaves
Office Desktop Systems
TestingEnclaves
ControlEnclave
ISO, Identity & Event Mgmt
Enclaves
Site-to-SiteVPN
Firewall
Legend
ESP
RestrictedWAN
![Page 24: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/24.jpg)
WAN
High AvailabilityVirtualized Architecture
High AvailabilityVirtualized Architecture IDS/EDS
IDS/EDS
IDS/EDS
Generating /Sub Station
ControlEnclaves
TestingEnclave
ISOEnclave
Remote VPN, Contractor,
Uncontrolled ISOEnclaves
Office Systems
Primary
Remote VPN, Contractor,
Uncontrolled ISOEnclaves
Office Systems
Secondary
VPN
Firewall
Legend
ESP
TestingEnclaves
TestingEnclaves
ControlEnclave
ControlEnclave
ISOEnclave
ISOEnclave
Building Security EnclavesBuilding Security Enclaves
![Page 25: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/25.jpg)
Defining Ports and Services Access RulesDefining Ports and Services Access Rules
• Unknown Communication Between Systems– Review levels of system trust
for need of isolation station / proxy
– Work with application vendor to identify requirements
– If necessary, enable connectivity in learning mode
• Do you know who, how, why, where, and when the system communicates across the network?
• Known Communication Between Systems– Review levels of system trust
for need of isolation station / proxy
– Define appropriate access rules
![Page 26: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/26.jpg)
Defense in Depth Security ControlsDefense in Depth Security Controls
• Layers of Protection for Information and Control (I & C)
• Provides security against a single or multiple points of failure
• Common to define Network, Client or Control Node, Server and Operational controls
![Page 27: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/27.jpg)
Build Knowing The Attacks“Man-in-the-Middle”Build Knowing The Attacks“Man-in-the-Middle”
• Attacker reads, inserts and modifies information without either party aware• Physical Layer• Datalink Layer• Network Layer• Application Layer• Social Layer
• Not an exhaustive list of attacks and controls
• What can happen?
• Incorrect information is conveyed to the operator
• Incorrect control settings are sent to the system
• Control is completely taken over by attacker
![Page 28: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/28.jpg)
Defense in Depth : Network Information and Control (I & C)Defense in Depth : Network Information and Control (I & C)
● Touchpoints should: — Be limited to the
absolute minimum, where the purpose of the application may still be satisfied
— Provide limitations for trusted and untrusted access
● Note: This is not an exhaustive list of Defense in Depth solutions
I & CI & C
Encrypted and integrity checkedtraffic
Trafficaccesscontrol
Intrusion Detectionand Prevention
Networkauthentication / authorization
Applicationproxy
![Page 29: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/29.jpg)
Defense in Depth : EMS / OperatorConnectivityDefense in Depth : EMS / OperatorConnectivity
I & CI & C
Event Monitoring
SeparateEMS Enclaves for PDS and QAS
Workstation Dual Homed / EMSDirect Connection
UniqueOperator Login
DHCP Snooping / Port Security / DNSHost Files
● EMS Enclave● Separate
development and quality assurance enclaves
● Island acceptable architecture with dedicated infrastructure
● Note: This is not an exhaustive list of Defense in Depth solutions
![Page 30: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/30.jpg)
Operational Workflow for Managing ESP/PSP Operational Workflow for Managing ESP/PSP Access Requests and ApprovalsAccess Requests and ApprovalsOperational Workflow for Managing ESP/PSP Operational Workflow for Managing ESP/PSP Access Requests and ApprovalsAccess Requests and Approvals
Same workflow for both physical and cyber access
Defines approval process for creation/modification of access and revocation of rights
![Page 31: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/31.jpg)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Defining your ESP Vulnerability Assessment Methodology
![Page 32: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/32.jpg)
Defining an ESP Vulnerability Assessment Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system.Methodology appropriate for the bulk electric system.Defining an ESP Vulnerability Assessment Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system.Methodology appropriate for the bulk electric system.
The ESP Vulnerability Assessment Methodology considers the threat, the cyber asset, adversary type, known vulnerabilities and the consequences of an adversarial success to arrive at a relative risk level and appropriate response. Automated and manual vulnerability analysis is performed by the IT Security department, and the FERC/NERC Compliance departments to identify both effective and ineffective security controls. The results of the assessment are then provided to the FERC/NERC Compliance Director. The results are reviewed and appropriate countermeasures are identified, developed, applied in a test environment, reviewed for acceptance and propagated to production. The methodology is reapplied to determine the relative risk reduction achieved. This iterative process is continued until the most appropriate method for reducing risk to an acceptable level is identified and approved by the FERC/NERC Compliance Director.
![Page 33: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/33.jpg)
Performing a Vulnerability Assessment within and Performing a Vulnerability Assessment within and against your ESPagainst your ESPPerforming a Vulnerability Assessment within and Performing a Vulnerability Assessment within and against your ESPagainst your ESP
Defined in CIP-005 Requirement 4 and CIP-007 Requirements 3 and 8
Typically do not perform tests against live systems—The risk is substantial
Ensure the accurateness of system state with your change management system
Define the appropriate personnel for risk acceptance and mitigation procedures
Create an appropriate set of procedures to —adequately test the response of the system and the
associative controls—migrate the modifications through staging—an appropriate rollback structure
![Page 34: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/34.jpg)
Selecting Vulnerability Management SolutionsSelecting Vulnerability Management SolutionsSelecting Vulnerability Management SolutionsSelecting Vulnerability Management Solutions
Review vulnerability management solutions for the following requirements:—Ability to generate audit trails and appropriate reports / integration with
your situational awareness software—Breadth of supported capabilities to validate networks, applications and
operating systems in your environment—Ability to operate in an *Internet isolated* environment leveraging a
proxy solutions—Interoperate with NIST or CISecurity.org baseline criteria definitions—Support agreement and associative service level capabilities—Incremental patch deployment to categorically identified systems and
applications on a schedule-able basis—Supports the appropriate trust model for your organization’s access
control model—High level of assurance of the system’s accuracy and efficiency for your
environment
![Page 35: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/35.jpg)
Vulnerability Assessment ProcessVulnerability Assessment Process
Network Tests—Remote / Local Scanning using GFI Languard, Nessus and Harris
STAT—Remote / Local PenTesting using Backtrack 2 tools with Metasploit
3 Local Tests
—CISecurity.org Assessment Scoring Tools Reviewing New NIST SCAP Vendors
—Part of Federal Desktop Initiative
![Page 36: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/36.jpg)
Responding to results from your vulnerability Responding to results from your vulnerability assessmentassessmentResponding to results from your vulnerability Responding to results from your vulnerability assessmentassessment
Do not PANIC—However, review high risk results immediately; identify
if other defense in depth controls provide protectionVulnerability assessments should be a dialogue between
the audit team and the systems personnelAppropriately document, notify the vendor for resolution
and receive the update to validate using your patch testing methodology created in CIP-007 Requirement 3
![Page 37: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/37.jpg)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Simple Principles to reflect upon while architecting
![Page 38: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/38.jpg)
Simple PrinciplesSimple Principles
Isolationism provides protection—The more isolated an environment is from others the greater the success of physical and logical security controls assuring continuously accurate information and control
![Page 39: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/39.jpg)
Simple PrinciplesSimple Principles
Your conversations will be eavesdropped upon—Any verbal, paper or electronic conversation can be
monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk
• Assets will be physically stolen or lost– Physical assets, physical assets storing electronic
information and electronic assets will be stolen or lost
– You must limit the impact of any theft of information
![Page 40: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/40.jpg)
Simple PrinciplesSimple Principles
Your conversations will be eavesdropped upon—Any verbal, paper or electronic conversation can
be monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk
• Assets will be physically stolen or lost– Physical assets, physical assets storing electronic
information and electronic assets will be stolen or lost
– You must limit the impact of any theft of information
![Page 41: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/41.jpg)
Simple PrinciplesSimple Principles
Build with a moat (control)—Separate trust levels / Security Enclaves—Understand how the moat (control) works
(or) Build with Nightingale Floors * * Nijo Castle Kyoto, Japan
![Page 42: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/42.jpg)
Simple PrinciplesSimple Principles
Vulnerabilities are the gateways through which threats manifest themselves
Threats exist—Hackers—Corporations—Nation States
RISK
VULNERABILITY
MISSION
THR
EAT
![Page 43: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/43.jpg)
Risk Assessment RelationshipRisk Assessment Relationship
Owners
Threats Assets
Risks
Vulnerabilities
Threat agents
Countermeasures
Based upon IEEE Standard 15408 (Common Criteria)
leading to
value
wish to minimize
to reduce
that may possess
that may be reduced by
may be aware of
impose
that exploit
give rise to
that increaseto
wish to abuse or damage
![Page 44: NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649d255503460f949fc4c3/html5/thumbnails/44.jpg)
Simple PrinciplesSimple Principles
Security or risk mitigation controls must be well understood to be properly used—A detailed understanding of the category of the
control DirectivePreventiveCompensatingDetectiveCorrective